CISOs Share Tales From the Trenches at RSA Conference 2016

There are many themes that stretch across the information security world, but most organizations face their own particular challenges that require customized approaches.

This was the clear takeaway from a well-attended panel at the RSA Conference Thursday, Lessons Learned from Real-World CISOs, during which CISOs from the medical device, education, health insurance and consumer goods sectors detailed their particular challenges, and how they're tackling them.

The most compelling issue facing Blue Cross Blue Shield of Michigan is rehabbing the company's reputation in the wake of an incident last year in which an employee shared screen shots of more than 5,000 subscribers with a handful of people outside of the organization. All of the people in question were arrested after allegedly committing identify theft with the data, and they, along with the former employee, are facing ID theft and credit card fraud charges.

But as Tom Baltis, CISO of Blue Cross Blue Shield, was reminded, solving such a case doesn't make all the resulting problems go away. Not only did the company just post its first annual loss in five years, with the breach a possible contributor, it also has to rebuild customer confidence.

"The lever of trust our customers have in us has eroded," said Baltis. "We're spending a lot of time engaging with our customers to ensure we have a continuing dialogue with them."

Medical device provider Baxter Healthcare Corp. hasn't had a breach along those lines, but that doesn't mean it doesn't live in fear of one. After all, whereas a breach has grave financial repercussions for Blue Cross Blue Shield, the consequences for Baxter are even more serious.

"We need to be able to adapt to how a Microsoft patch affects my patients' safety," said Pavel Slavin, Baxter's technical director of medical device cyber security. For example, Slavin noted that a small patch has the potential to kill a patient if it changes the parameters of a device.

The scary thing for Baxter is that the odds say it's only a matter of time; Slavin quoted a staggering statistic indicating that 63 percent of healthcare companies were penetrated last year. And he's not sure he can prevent Baxter's name from joining the list.

"There are no clear answers," he said.

For Don Smyczynski, CISO of multi-national food supplier Rich Products, the main concerns have to do with employee and partner access to and use of data.

With operations in 100 countries, it's almost impossible for Smyczyinski to have visibility into everything, and that's allowed employees to get a bit careless with the data they have access to, resulting in intellectual property essentially walking out the door on occasion.

"People feel a lot of ownership about their data," said Smyczynski. "They think they can do anything with it."

To combat this data leak, Smyczynski said Rich, best known for essentially inventing the non-dairy frozen food category, has structured its systems on a need-to-know basis. It's also instituted a new HR process that terminates all access for employees who transfer to a new team, and then recreates their access profile from the ground up.

"People have been here 20, 30 years, and been in multiple roles, and have access to all of those systems," he said. "We're tightening that up."

Similarly, the company has had to look more closely at vendor access to its systems since Smyczynski took over the CISO position and found that there were vendors that were out of business yet still had access to Rich's systems.

As complex as these issues are, they pale in comparison to the array of security challenges Randy Marchany, CISO of Virginia Tech University, faces every day. Marchany has had to ramp up vigilance on the security front since a breach in 2013 in which human error exposed personal information on 145,000 people who'd applied online for jobs over the previous 10 years.

Marchany didn't mention the breach, but he painted a detailed picture of the multi-headed security beast a major university represents. In addition to large populations of students, faculty and administration, each of which uses different tools, behaves differently on the network, and accesses completely different sets of data, there are many entities—from the campus hospital and police force to the housing and athletic departments—that also have particular needs.

Marchany also provided some insight into how he attempts to protect these various buckets of users.

For instance, because the campus is 100 percent wireless, Marchany said a perimeter firewall would be relatively useless, so instead he establishes a firewall around every device. And there are a lot of devices. Students alone bring an average of five devices with them to school: a laptop, desktop (for gaming), smart phone, tablet and connecting gaming system such as an Xbox.

With so many devices and network nodes to target, Marchany doesn't focus on keeping attackers out of the network. Nor does he focus on device security. Instead, he focuses on securing data, and outgoing data in particular.

"Knowing what leaves your network is much more important than what comes into your network," Marchany said, suggesting that corporate America should consider a similar approach rather than trying to put the brakes on the bring-your-own-device phenomenon.